No more headaches trying to figure out who changed that GPO that broke the Internet Explorer functionality of half the users of your environment.
Note that AGPM is part of the MDOP so hopefully your company has SA and you can leverage the benefits of this tool.
So let's get started!
Before you start the installation, go to your AD and create 1 service account, 4 Security Groups and 1 Distribution Group. The service account is required by AGPM during the installation. This account will do all the actions behind the scenes on behalf of the administrators managing Group Policies. This account requires to be a member of the Domain Admin AD security group or the Group Policy Creators and Backup Operators groups. It also requires full permissions to the System Temp folder and it has to be a local administrator of the computer where AGPM is being installed.
svc_AGPM
AGPM_Admins - add yourself to this group for now
AGPM_Reviewers
AGPM_Approvers
AGPM_Editors
OK. Now you can start the installation. From MDOP splash screen launch the Install Server (architecture of your choice) or launch it from the AGPM folder. Click on Next. Accept the license. Leave the default location where AGPM server will be installed and click on Next.
Now you have to specify where the Archives folder will be created. The archives folder holds offline GPOs and history of changes made to the GPOs. In this case I will leave it in its default location. Click on Next.
Specify the service account you've created earlier and click on Next.
Leave the default and click on Next.
Untick all languages and leave only the one you require and click on Next.
If you click on Details it will display the list of all requirements but don't worry if they are not present, they will be automatically installed.
Click on finish. Ok the installation is now completed. Now let's configure it. This first step is not required but recommended. From the GPMC go to User Configuration / Policies / Administrative Templates / Windows Components / AGPM and set your AGPM server name on 'AGPM: Specify default AGPM Server (all domains)' setting.
Now go ahead and install the AGPM client. If you want you can install in the same server where you installed the AGPM server. I won't go into the installation details as it is straight forward.
If you open GPMC now you can see there is a new node named Change Control. Click on it and let's discover it.
The first tab is Contents / Controlled. All GPOs created from this node are placed there and all GPOs that are taken control as well.
The Uncontrolled lists all existent GPOs and any GPO created out of the Change Control node.
The Domain Delegation display the AD group we specify during the installation. It's here where we are going to add those other groups that you created earlier.
The AGPM Server tab displays the server which manages the archives. You can select that 'Delete old GPO version' option to save some space but the size of offline GPOs and history of changes is so small that I don't think it's worth it.
And finally the Production Delegation which display the default groups which have permissions to manage GPOs out of the Change Control node (only the ones created after the AGPM implementation).
OK. Now go back to the Domain Delegation tab and add the other groups and add permissions accordingly. Also specify the details for approval requests sent by email. In the picture below you can see I configured it so that the email originates from the AGPM_Admins to the AGPM_Approvers.
Now jump back to the Production Delegation and configure who should have permissions to view/change GPOs out of the Change Control node (in production.. and only for those created after the AGPM implementation)
Now let's create our first controlled GPO. Navigate to the Controlled tab, right click in the blank space and click on New Controlled GPO.
If you are using a user that doesn't have the permissions to create GPOs, that's the screen you are going to see. There you can ask to the AGPM_Approvers to approve the GPO's creation. Give it a name, comment, choose whether or not to create it from a template and specify if it will be created in the archive and in production or only in the archive. If you choose archive then you are working on a offline GPO which can be deployed to production later. Click on Submit.
As you can see it succeeded.
This is what the members of the AGPM_Approvers will receive in their inbox.
Now you can see your request in the Pending tab. It will stay there until you withdraw it or one of the approvers approve it or reject it.
If you right click it you can withdraw it.
Logged as one of the Approvers, right click on the pending request and select approve.
Give it a meaningful comment.
And there it is! Your first controlled GPO.
Now log as one of the editors, click on Check Out (this is required to make sure no more than 1 person edit it at the same time) and click on Edit.
Once you made the required changes, click on Check In.
Then click on Deploy, to deploy it to production.
Now as the editors dont have permissions to create or deploy policies, a new request will be sent to the Approvers.
Right clicking the policy you can check the History of all changes.
In the Unique tab and can roll back the policy. Just right click an earlier version and click on Deploy.
Now if you expand the Group Policy Objects in GPMC and select the GPO just created you can see in the delegation tab what you set before in the Production Delegation in the Change Control node.
This was a long post I didn't expect it to be this long! As you can see if AGPM is configured right you can keep control of your GPOs easily.
No comments:
Post a Comment